Web Security & Commerce: Make room on your shelves for this one The latest Garfinkel and Spafford book tells us why we should worry about Web security and why Web servers are so vulnerable to attack

August  1997

Garfinkel and Spafford have done it again, publishing a pile if useful information in Web Security & Commerce. This month, Pete's Wicked World provides an in-depth review of the new book. Also in Pete's Wicked World this month: The Bookstore has a pointer to useful security URLs. In The Buglist, Sun has released important patches for talkd and ping bugs. This month's column also introduces new coverage of break-ins. Finally, new commercial products, including Trusted Solaris 2.5.1, are discussed in The Toolbox. And remember that The Solaris Security FAQ is always available for all your Solaris security information needs. (2,700 words)

Mail this article to a friend

here is a new book on the market from O'Reilly and Associates. It continues the reputation O'Reilly has for producing quality books by quality authors on practical topics that are important in the computer industry. Web Security & Internet Commerce is a must-read for those of us with a keen interest in these topics. It starts with a lucid summary of all the reasons that we should worry about Web security, including:

• Publicity -- Companies must keep in mind that just because a Web server does not contain proprietary information, it should not go unguarded. Recent high-profile break-ins at government sites and commercial institutions have shown that damage to reputation is a consequence that must be considered. Web sites are as important as other forms of corporate communications. Because of the newness of the Web, successful attacks on Web sites are well covered in the media.

• Commerce -- As commerce on the Web expands, increasing amounts of financial information will exist on Web servers, and they will become more tempting targets.

• Proprietary information -- Enemies and competitors could gain advantage by stealing information stored on a Web server.

• Network access -- Cracking a Web server can lead to access to other corporate computers or other Web sites.

Advertisements

Web servers at risk
Another reason to worry about Web server security is vulnerability to attack. This vulnerability results from the Web's attributes:

• Server extensibility -- Web servers are flexibly extensible, leaving huge opportunities for the introduction of security flaws.

• Browser extensibility -- Browsers allow arbitrary code to be downloaded and executed as plug-ins, scripts, and standalone programs.

• Standard network protocols -- TCP/IP was not designed for secure communications.

• Complicated support -- The Web is a complicated place, with distributed naming via DNS and packet routing via several protocols. Subverting lower-level services can result in server break-ins or browser failures.

• Pace of development -- The rapid development of Web applications -- and their premature release -- allows for more bugs than in products released after a more traditional development cycle (one complete with internal and external testing and bug fixes).

In fact, Chapter 1 should be required reading at companies with a Web presence. It provides a clear overview of Web security. Rather than resorting to fear, uncertainty, and doubt, it describes the reality of the Web. For instance, it points out that encryption is not useful in many situations. Consider the example of a purchase via credit card over the Web. Encrypting the transaction is not necessary from the customer's point of view because of the customer's very limited liability. Most Web-based credit card thefts occur when the server that holds all the credit card information is breached. In this case the data could have been encrypted, but by the time it is stored on the Web server it is in clear text. Furthermore, encryption and protection of a credit card number is mostly a benefit to the credit card issuer. However, the issuers are working on implementing the SET protocol for just that purpose.

Chapter 1 also includes information that is important to all Web users. For instance, it discusses the liability differences between the use of credit and debit cards for purchases and the real credit card use risks. For the customer, these risks include:

• Information provided during a transaction could be used for other legal or illegal purposes.
• The Web server could retrieve private information from the user's computer.
• The Web server could force the Web browser to act on the user's computer.

For the merchant, there are even more risks:

• Poor Internet or Web server performance could discourage customers.
• A denial of service attack could likewise prevent customer access.
• Competitors could use information from the Web server for competitive advantage.
• Poor security could allow Web page graffiti or credit card number duplication, resulting in embarrassment or financial loss.

Web Security & Commerce includes extensive discussions of all of the issues that are important to Web users and Web sites. In regards to Web users, it discusses such issues as the use of social engineering to induce users to create security holes on their systems, programs that are not safe to use as plug-ins, the power of spoofing, and browser security flaws. In the Java and JavaScript chapter, the language and its security model are discussed, as are the practical issues of setting Java security policy within Navigator and Explorer.

The book is not without its flaws; however, they are minor. For instance, on page 22 SSL is reported to listen on port 447 rather than 443. This port number is correct elsewhere in the book. There are some organizational issues as well, such as the inclusion of the denial-of-service attack section in the Java chapter. The topic might have fit better in Chapter 13: Host and Site Security. Chapter 13, especially compared to the rest of the book, is rather weak. Of course this is not unexpected given that entire books are devoted to just that topic, including the excellent Practical Unix and Internet Security by the same authors. Similarly, the legal aspects that are covered in Chapters 18 and 19 are (as the authors admit) overviews of a larger topic that demands and receives book-length coverage elsewhere. Finally, there is no mention of the role of firewalls in blocking URL access.

The major strengths of the book are its practicality and readability. Major sections on digital certificates and cryptography explain the unexplainable. The information on cryptography and U.S. Export Control Law is valuable to anyone creating a Web site designed for international access. Appendix A contains a case study of running an ISP and makes for interesting reading -- it's a cautionary tale full of wise advice for ISPs and, as it turns out, all computer and phone system managers.

Garfinkel and Spafford have done it again, making me squeeze yet another essential book onto my groaning bookcases. I don't begrudge the space though.

Title: Web Security & Commerce
Author: Simson Garfinkel and Gene Spafford
Publisher: O'Reilly & Associates
ISBN: 1565922697
List price: $32.95

Bug of the Month Club
Unfortunately, Solaris security bugs continue to appear. This month a flaw has been discovered in talkd on practically all versions of Solaris. The bug allows anyone that can connect to the talkd daemon on the target host to execute arbitrary programs as the root user. The details of the bug and the released patches, are in Sun Security Bulletin #00147.

And at long last, Sun has released patches to fix the SunOS and Solaris vulnerability to "ping of death" attacks. The information is included in Bulletin #00146.

The Bookstore
There are many personally-managed lists of security resources on the Internet. Patrick Oonk has put together a set of useful links that may not already be in your bookmark list.

Break-ins
There was unpleasant news for users of ESPN SportsZone and nba.com when they received e-mail claiming that their credit card information had been stolen. Up to 2,397 users may have their information in jeopardy. Check out the brief press article for a few more details.

The Toolbox
Sun has announced the release of a more secure "Trusted Solaris". It includes extensive auditing and security configuration features. I hope to include details of how useful or limiting Trusted Solaris is in a future column.

Trusted Solaris 2.5, an operating environment based on Sun's release of Solaris 2.5.1, provides multilevel security and robust host security required by commercial and government customers. It is a complimentary offering to Solaris that includes the Trusted CDE Window System, trusted file systems, trusted networking, security profiles, and trusted roles. It supports the new machines based on UltraSPARC technology, and provides interoperability with standard Unix hosts.

Differential Inc. has announced a product for securing extranets in an open, extensible manner. It claims to provide for easy encryption and authentication over the Internet via ftp and http protocols. The product includes auditing and secure remote administration. If you're looking to secure communications to remote sites, it might be worth a look.

Conferences
It's time to determine a strategy for getting your management to send you to some high-quality, security-related conferences. In October is Usenix LISA '97 which promises to provide its usual irresistible content and tutorials. Its San Diego setting also allows for off-hours fun.

Other upcoming conferences include SANS '97 and Unix and the Law III.

Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. peter.galvin@sunworld.com

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-08-1997/swol-08-security.html

Last modified:

Resources

Web Security & Commerce by Simson Garfinkel and Gene Spafford http://www.ora.com/catalog/websec/ Practical Unix and Internet Security by Simson Garfinkel and Gene Spafford http://www.amazon.com/exec/obidos/ISBN=1565922697/sunworldonlineA/
• Sun Security Bulletin #00147
  http://sunsolve1.sun.com/sunsolve/secbulletins
• Patrick Oonk's list of security resources
  http://www.pine.nl/~patrick/
• Press article on credit card numbers exposed at Starwave sites
  http://live.excite.com/News/970710/14.TECH-SECURITY.html
• Trusted Solaris 2.5
  http://www.sun.com:80/970715/cover/
• Differential Inc.
  http://www.differential.com
• Usenix LISA '97
  http://www.usenix.org/lisa97/
• SANS '97
  http://www.sans.org/network.html
• Unix and the Law III
  http://www.sug.org/CL3/index.html
• Full listing of Security columns in SunWorld
  http://www.sun.com/sunworldonline/common/swol-backissues-columns.html#security
• Also check out the SunWorld Site Index for stories on Web server security
  http://www.sun.com/sunworldonline/common/swol-siteindex.html#websec
• Related network security stories
  http://www.sun.com/sunworldonline/common/swol-siteindex.html#netsec
• Peter Galvin's recently updated Solaris Security FAQ
  http://www.sun.com/sunworldonline/common/security-faq.html

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-08-1997/swol-08-security.html
Last modified: